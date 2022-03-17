Getting all this right is really important. Manufacturing cybersecurity is what keeps CIOs and CEOs awake at night. In other environments, it's about data loss - which is severe enough. But with OT, the stakes are higher, as people could get hurt or even killed.

Getting it right is also a cultural issue, notoriously the hardest of all business challenges.

Industrial control systems are typically owned by factory managers, not IT departments. They tend to be in place for a long time, during which things deteriorate, creating weaknesses. Modernizing them to interact with digital systems requires talking to IT, which involves new jargon, suppliers, protocols - and much else besides.

IT, in my experience, is not making a 'land grab' to own the OT element. But it has the most cybersecurity experience - and most networks are IP-based. The bottom line is that IT has established best practices to make systems resilient, and these must now be deployed across OT. It is logical that IT owns that role. However, this is a case of two separate worlds colliding, and it doesn't always go well.

Who is best placed to resolve any boundary disputes as IT and OT converge? It comes down to who has the necessary level of authority to influence both. IT is now more likely to have its own seat on the board due to Covid-19. Production managers tend to report to the COO. Governance then is at the CEO level. They, after all, are accountable to investors if the factory goes down after a cyberattack - or to health and safety investigators - and possibly the police - if there is an accident.

Cybersecurity has risen to the top of manufacturers' business agenda. It's time for the CEO to become actively involved in key decisions to resolve the risks created by the convergence of IT and OT.

